SmokeLoader is a quite old but still very popular bot generally used to drop other malware families or deploy additional modules that implement some nice features.
The other day I was checking a sample from a recent campaign, and as I was stepping through the loader I found some interesting stuff I hadn't seen before. In the latest releases of the 2018 version of SmokeLoader they have implemented some anti-debugging checks, as well as anti-vm, anti-disassembly and anti-analysis in general.
CERT Polska did a great job describing most of them. Some are really neat, like the one that calculates the address of the next instructions based on the values of BeingDebugged and NtGlobalFlag.
However, the anti-hooking check is not described in the blog post (maybe it wasn't present yet) and it's actually preventing SmokeLoader from detonating on Cuckoo Sandbox and possibly others.
The assembly snippet of this check is the following:
I've commented the assembly to make it easier to read.
Basically the bot has a list of Windows functions that it's checking for userland hooks. To do this, it compares the first bytes of each function with hardcoded assembly byte patterns commonly used when hooking functions in userland.
We can see in the Cuckoo's monitor source code that the opcodes used for hooking arethesame.
TL;DR: Technical low-level analysis of the cheat, also including the licensing and differences between public and private version.
CS:GO is one of the most popular competitive online games, it has 520.285 current players as I write these lines. As in any other competition-driven game, cheaters arise, and specially in the CS community, they have become a serious problem.
Today we are taking a look at the public and private version of a cheat for this game!
I won't mention the name of the cheat to avoid giving them free advertisement and because it's not necessary for this post, but if you're into this topic, you'll probably guess.
Before we start, it's important to mention that I managed to get a private version build using an alternative channel 😈. This means I've never paid to the developer, so I didn't support their business in any way! Damn you, cheaters!
Public vs Private version
This cheat is quite accessible, as the developer provides a public (free) version with all the capabilities for the users to try. The most important "downside", is that the public cheat is obviously detected by VAC, so if you use it in a VAC-protected server, it's a matter of time that your account gets VAC-banned.
Here is where the paid private version comes into play: Customers get a unique build that is guaranteed to be undetected.
Each private version build of the cheat is tied to a machine, to avoid piracy, reselling, ...
The license procedure gets the SystemDrive environment variable, and using DeviceIoControl with the parameter IOCTL_DISK_GET_DRIVE_GEOMETRY, reads the technical capabilities of the hard drive. Then the Processor Brand String is also read using the cpuid instruction.
This information is formatted into a string, hashed with SHA1, and mutated with a custom ASCII rotation algorithm:
The resulting string is your unique license, which is sent to the cheat developer when you buy it, and in return you get a build that only works in the computer that generated this license.
How the cheat works
This cheat is an external cheat, which means all the work is done out of the CS:GO process (no DLL injection).
The first thing it does is open the csgo.exe process, and get the base addresses of client.dll and engine.dll.
Then it uses patterns to find game structures (offsets) in the memory, these patterns usually match opcodes of the game binaries, where memory pointers are referenced, or other useful information. They also use patterns to find game functions and strings.
For example, one of the patterns is:
89 0D ? ? ? ? 8B 0D ? ? ? ? 8B F2 8B C1 83 CE 08
If we look for these bytes in the client.dll file, we get the following hit:
If the cheat wants to run an in-game console command, it can allocate memory in the game process, pass the arguments to the function using this memory, and create a new thread using CreateRemoteThread at the beginning of the procedure.
When the cheat has located all it needs to work, it will start a bunch of threads that implement each of the functionalities. These threads are in charge of monitoring and manipulate the game memory using the functions ReadProcessMemory and WriteProcessMemory.
Changing the values of the internal game structures at will, the cheat can achieve the functionalities it offers.
I have identified some of the functions and renamed them in my pseudocode:
The public version is poorly protected, they just encrypted the strings with a simple algorithm but it has no code obfuscation or PE packing.
On the other side, the private version is protected with Themida, a commercial packer that, depending on its configuration, can be quite effective protecting executables.
It's very likely that they use Themida for two purposes:
Protect the cheat license from being patched. The program can be manipulated to validate any license when running in a computer, but reconstruct a fully working version of the packed executable and patch it may be quite tricky.
The second and most important, avoid the VAC signatures from detecting their cheat when running. Themida can protect the original opcodes of the program when it's loaded in memory and running, and writing signatures (patterns) for those opcodes is one of the methods VAC uses to detect cheaters.
If we compare it to other cheats, this one is simple in terms of functionality, but still quite effective.
Bear in mind that the CSGO binaries used for the analysis are not from the latest game update, as I wrote this one week ago. The binaries I used are:
This means that the cheat signatures may have been slightly modified to work with the new executables, and the offsets probably won't be the same if these binaries changed in the latest version of the game.